A firewall will no longer protect your company network: you have to cope with users needing to take documents out, and with attackers trying to get in. The best security advice is to assume that your network can be penetrated — and that it might already have been penetrated — and to ensure you know how to detect and respond to attacks. This book is a step-by-step guide to doing exactly that.
The problem — and the idea of monitoring, logging and analysing activity on your network to detect intruders — is nothing new, and the foreword to The Practice of Network Security Monitoring: Understanding Incident Detection and Response includes a potted history of early network intrusion detection systems, including author Richard Bejtlich's early work for the US Air Force (Bejtlich now works at Mandiant, who you may remember from their report on network intrusions by Chinese hackers).
That experience convinced Bejtlich that prevention eventually fails. That doesn't mean admitting defeat though: if you can't stop all attackers getting in, then concentrate on frustrating them, using the time bought by your defences to detect them and eject them from your network. In one case study, Bejtlich describes how an attacker who eventually stole the entire payments database from the South Carolina Department of Revenue spent four weeks exploring the network before copying any files. If monitoring had detected the hacker during that month, no identity information would have been lost.
For the general reader, the explanations of how network security monitoring differs from seeking vulnerabilities in your system and software, or from filtering and blocking confidential information, is a good introduction. The discussion of the impact of privacy laws on monitoring your business network is also very useful. The recent case of a company that reported an ex-employee who was still using a company laptop to the police, for searching for information about pressure cookers, bombs and backpacks, is an excellent example of what you'll need company policies to cover.
Tools and techniques
After this, though, the book jumps straight into the technical details, starting with logging data, inspecting network packets, viewing network traffic in Wireshark, reconstructing logged web browsing in Xplico and looking at session and transaction data. If you ever wonder why the NSA is collecting metadata instead of just files and emails, this gives you a good idea of how much you can learn from metadata.
This book is most useful if you plan to use the recommended tools to monitor your network, but the approach applies to other tools as well. And the principles Bejtlich outlines for running your security monitoring are the kind of best practice you should apply to any important server.
Since security is more about process than technology and every network is different, Bejtlich shows you how to analyse your network to find out where to do your monitoring, either with port analysis and mirroring or a hardware network tap, and how to specify the server that will do the monitoring. His suggestion for monitoring tools starts with Security Onion, a network security monitoring suite built on Ubuntu, but he covers a range of tools that work with it for analysing information further. For Windows admins, he suggests getting used to Linux. Fully covering tools like Microsoft's Network Monitor would be outside the scope of the book, but it would have been useful to include a discussion of what comparable tools are available on other platforms (Wireshark is just as useful if you're running network monitoring from Windows, for example). The conclusion does mention two cloud network security monitoring options, ThreatStack and PacketLoop, although only briefly.
Plenty of books explain how to set up your network (the advice here concentrates on designing your security process), but few concentrate on what to do when the intruders arrive. Here the author walks you through what your monitoring tools will show you when you're attacked — over the network, or through applications like email and web browsers. In one example, a tweet is sent with a web link that installs Java and exploits a Java vulnerability to install a keylogger, capture passwords and infect a second system.
This book is most useful if you plan to use the recommended tools to monitor your network, but the approach applies to other tools as well. And the principles Bejtlich outlines for running your security monitoring are the kind of best practice you should apply to any important server: limit admin access, never share the root account, use authentication, don't manage the monitoring account using the same tools you use to manage user accounts, use full disk encryption and keep your monitoring tools up to date. Don't assume you can protect your network, but do find out how to defend it.
The Practice of Network Security Monitoring: Understanding Incident Detection and Response
By Richard Bejtlich
No Starch Press
£34.49 / $49.95